First, WLAN security mechanism
In 2004, the WLAN product market will face severe tests, the low-end product market will tend to have the same quality and price war. If you can't take advance to the company to apply the high-end market, WLAN investment bubble will begin. At the same time, more and more business decision makers believe that security issues are the primary factors affecting them to make WLAN deployment decisions.
1. Basic WLAN security
Business Group Identifier (SSID): The wireless client must present the correct SSID to access the wireless access point AP. Using SSID, users group groups can be performed well, avoiding the security and access performance of any roaming, thereby providing certain security for WLAN. However, the wireless access point AP cycle broadcasts its SSID, so that the safety is lowered. In addition, in general, the user is configured by the client system, so many people know that the SSID is easy to share to illegal users. Moreover, some manufacturers support any way, as long as the wireless client is within the AP range, then it will automatically connect to the AP, which will bypass the security function of the SSID.
Physical Address (MAC) filtering: Each wireless client network card is identified by the unique physical address, so you can manually maintain a list of MAC addresses that allow access to the AP to implement physical address filtering. Physical address filtration belongs to hardware authentication, not user authentication. This method requires a list of MAC addresses in the AP to be updated. It is currently manual operation; if the user increases, the extension ability is very poor, so it is only suitable for small network size. In addition, illegal users use the network listening means to easily steal legitimate MAC addresses, and the MAC address is not difficult to modify, so the illegal users can completely steal the legal MAC address for illegal access.
2, IEEE 802.11 security technology
(1) Certification
They must be a dialog before switching data between wireless clients and central devices. When the 802.11b standard is set, IEEE has joined a function: When a device and a central device are conversation, the authentication work will begin immediately, and the device cannot perform other key communication before passing the authentication. This feature can be set to Shared Key Authentication and Open Authentication, the default is the latter. Under the default setting, any device can communicate with the central device, and cannot cross the central device and go to a higher level of security zone. When the Shared Key Authentication is set, the client must first send a connection request to the central device, and then the center device sends back a string of characters and requires the client to return passwords using the WEP key. Only if the password is correct, the client can communicate with the central device and enter a higher level.
There is a shortcoming in the use of authentication methods, and the characters sent back by the central device are clear text. By listening to the communication process, the attacker can get two unknown values in the authentication formula, the character, the character, and the character returned by the client, and only one value cannot be known. With RC4 computer communication encryption algorithm, the attacker can easily get the Shared Authentication Key. Since WEP is used by the same key, invasive can enter other clients through a central device. Ironically, this safety function usually should be set to "open automation", so that anyone can communicate with the central device, and secure security through other means. Although it does not use this security function to look and guarantee network security contradictions, it is actually the potential danger brings more potentially greater than its help.
(2) Secure
Wired Equivalent Secret (WEP): WEP Although the security of networks is provided by encryption, there are many flaws:
Lack of key management. The user's encryption key must be the same as the key of the AP, and all users in a service area share the same key. The management scheme of the shared key is not specified in the WEP standard, usually manually configuring and maintenance. Since the time and difficulty of simultaneously replacing the key, the key is usually used for a long time, and if a user is lost, the entire network will be ignored. ICV algorithm is not suitable. WEP ICV is an algorithm based on CRC-32 for detecting transmission noise and normal errors. CRC-32 is a linear function of information, which means that an attacker can tamper with encrypted information and easily modify the ICV, so that the information surface looks trusted. It is possible to make tampering that encrypted packets make a variety of very simple attacks.
The RC4 algorithm has weaknesses. In RC4, people have discovered weak keys. The so-called weak key is that the correlation between the key and the output is exceeded by a good password. In the 24-bit IV value, there are more than 9,000 weak keys. After the attacker collects enough packages that use weak keys, they can analyze them, and they can be accessed in the network only. Using authentication and encrypted security vulnerabilities, the WEP key can be cracked in a short period of time.
3, IEEE 802.11i standard
(1) Certification - Port Access Control Technology (IEEE 802.1X)
By 802.1x, the central device requires a set of certificates when a device is access to the central device. The certificate provided by the user is submitted to the server by the center device for authentication. This server is called RADIUS, that is, Temote Authentication Dial-in User Service, is usually used to authenticate dial-up users. This whole process is included in the 802.1x standard EAP (extension authentication protocol). EAP is a collection of authentication methods that allows developers to generate their own certificates in various ways, EAP is also the most important security function in 802.1x. There are four main EAP modes.
But IEEE 802.1x is provided with authentication between wireless clients and RADIUS servers, rather than authentication between clients and wireless access point AP; user authentication information is only user name and password, in storage, use and There is a lot of safety hazards in the certification information transfer, such as leakage, loss; wireless access point AP and RADIUS servers based on their enjoys, complete the passage of the session key, which is negotiated, the shared key is static, artificial Handmade management, there is a certain safety hazard.
(2) Secure
Wired equivalent confidential improvement solution - TKIP.
At present, Wi-Fi recommended wireless LAN security solutions WPA (Wi-Fi Protected Access), and IEEE 802.11i standards in the formulation use TKIP (Temport Key Integrity Protocol as a transition security solution. TKIP is based on the RC4 encryption algorithm as compared to the WEP algorithm, and the length of the WEP key is extended to 128 bits. The length of the initialization vector IV is extended to 48 bits from 24-bit, because the security vulnerability of the WEP algorithm is Since the WEP mechanism itself is increasing, the length of the key is independent, even if the length of the encryption key is increased, it is impossible to enhance its security, and the increase in the length of the initialization vector IV can only be improved. Crackiness, such as extending cracking information collection time, does not fundamentally solve the problem, because as a security key encryption section, TKIP does not leave the core mechanism of WEP.
The ultimate encryption solution of the IEEE 802.11i standard currently is currently based on IEEE 802.1X certified CCMP (CBC-Mac Protoco1) encryption technology, that is, using AES (Advanced Encryption Standard as the core algorithm, using CBC-Mac encryption mode, An initial vector with a grouping sequence number. CCMP is 128-bit packet encryption algorithm, which is higher than all algorithms described above. 4, VPN technology
As a relatively reliable network security solution, VPN technology has been widely adopted in a wired network, especially in corporate wired network applications. However, the application characteristics of the wireless network have largely hinder the application of VPN technology, mainly reflected in the following aspects:
Vulnerability of running: It is well known that wireless link quality fluctuations or short-term interrupts caused by sudden interference or AP cross-zone switching are one of the characteristics of wireless applications, so the user communication link is short-term interrupt. . This situation is not sensitive to ordinary TCP / IP applications, but for the VPN link influence, once interrupt occurs, the user will have to set up the VPN connection by manual settings. This WLAN user that is WLAN users, especially if moving or QoS guarantees (such as VoIP services) is unbearable.
Generality issues: VPN technology has no unified development standards in the country, and each company has developed its own special products based on its own technology and purpose, leading to the tech system, no general purpose. This is contrary to the WLAN application that emphasizes interoperability.
Network scalability: VPN technology provides network security while providing network security, which is mainly limited to the complexity of VPN network settings. If you want to change a topology or content of a VPN network, users often have to re-plan and communicate network configuration, which is incredible for a medium-oriented network.
Cost problem: The three problems described above actually leads to the cost of the user network installation. Another important factor is that the price of VPN products itself is very high, for small and medium-sized network users, even more than WLAN equipment purchasing fees.
Two WLAN switching and roaming
1, switch and roaming
The WLAN switching refers to the same SSID (AP), the mobile terminal is created with the new AP and cut off the original AP connection process. Rooting refers to between different SSID (APs), the mobile terminal is established with the new AP and cut off the original AP connection process.
There are two ways to join an existing service area: active scanning and passive scanning. Active scan requires the site to find the access point, accepting synchronization information from the access point device. The synchronization information can also be obtained by passive scanning, the beacon frame transmitted by each access point can be listened. Once the site is positioned, the verification information must be exchanged for synchronization information. The interaction of this information is generated between the access point and the site, each device gives a preset password. After the site is verified, the association process begins. During the association, the power information of the switching site information and the access point service is information on the current location of a group of access points. Once the association process ends, the site can send and receive frames. When the site leaves its access point, it is noted that the link signal of the access point is weakened. Site uses its scan function to find another access point, or use the information obtained by the last scan to select another access point. Once a new access point is found, the site sends a re-association request to it. If the site receives a re-association response, it has a new access point and roams success.
2, mobile IP
In the wireless network, if the access location is moved while using a wireless local area network access service, once the mobile terminal exceeds the subnet coverage, the IP packet cannot reach the mobile terminal, and the communication will be interrupted. To this end, IETF has developed a series of standards for extending IP network mobility. The so-called mobile IP means that the same IP address can be used in multiple subnets on the IP network. This technique is implemented by managing networks where the network terminals in the network terminal is managed using a special router called the home agent and the Foreign Agent. In a mobile IP system, it is guaranteed that the user's mobile terminal always uses a fixed IP address to communicate, whether there is a TCP connection in the movement process without interruption. In a wireless LAN system, a wide range of application mobile IP technologies can break through the geographical range limitations of the network, and can overcome the communication interruption, permissions change in the dynamic host configuration protocol (DHCP) mode when cross-network segmentation. 3, the problem of switching and roaming
In the case where the encryption protocol is not enabled, the service connection between the same SSID (AP) is controlled by the AC (Wireless Access Controller), and the AP only serves as a two-layer transmission and transmission. Between different SSID (APs), due to changes in IP addresses, the business must be interrupted, and the connection needs to be re-connected to authenticate and billing.
If a secure encryption mechanism is used, for example, a WEP protocol is used by default, you need to manually enter 40Bit or 104bit key whenever a new access point, you will not be safe. In actual use, encryption measures have brought a lot of trouble to roaming, because the user must inform the user to change the key of the new access point. How to securely distribute and save these new keys is also a problem, so most operators do not use encryption measures such as WEP encryption.
Third, WLAN coverage and antenna technology
The frequency range of 802.11 is 2400-2483.5MHz, 14 sub-channels, and the bandwidth is 22MHz, up to three non-overlapping channels (1, 6, 11), up to 33MHz transmission capacity.
1, outdoor coverage
Outdoor coverage: macro honeycomb and microcell; in some power limitations such as rural, field environments, large sports venues, can increase base station emission power and reception sensitivity and improve base station antenna height The method of increasing the coverage of a single base station.
(1) macro honeycomb
Only when the base station is in an open place, the input power of the receiver can meet the sensitivity requirements of the standard wireless LAN receiver. If the base station sensitivity and power are properly improved, it can override a larger range, and for the city or suburbs, if Applying macro cells, the power and sensitivity of wireless local area network transceivers should be greatly increased. This is not allowed for urban spectrum, electromagnetic compatibility restrictions, and cost increase. Therefore, it is not recommended to use a macro honeycomb. Unless there is a wide range of openly applications.
(2) Microcompine
Micro-honeycomb coverage can be covered in the city or suburbs, usually on top of the building, or on the launch tower specially built, can also be used with certain facilities, such as streetlights, stoppers and other installation APs. The road calculation determines that the maximum range of receiver sensitivity is satisfied, and the antenna selection is also possible to satisfy the good coverage of the key area for the requirements of the receiver sensitivity. The above factors are integrated, and the position of all microcell base stations is determined in a certain area to complete the coverage.
2, indoor coverage
Compared with outdoor, the indoor propagation environment is smaller, the environment changes, is not affected by weather, snow, clouds, etc., but is the most affected by the size, shape, structure, room layout and indoor furnishings of buildings. It is important that the impact of building materials. Indoor obstacles include not only brick walls, but also wood, glass, metal and other materials. These factors have caused the indoor propagation environment than outdoor complexity.
Indoor usually uses microcells, indoor distributed antennas, or combinations thereof to cover the blind zone. 3, antenna technology
In the case where the transmit power is limited, antenna technology has become an important means of improving coverage. High gain all-to-directional antennas should be used in the room, and the orientation antenna should be used indoors and use diversity reception and intelligent antenna technology. At the same time, the frequency and electromagnetic interference should be avoided.
Diversity Receive is a plurality of separate channels between the transmitters and receivers, so when the independent channel is essentially space, it is possible to obtain antenna diversity and polarization identification, that is, antenna of the receiver and the transmitter. There is a sufficient interval between the units, and the respective signals are not or few associated with each other, and the antenna diversity can be used to increase the link performance of the signal or increase the data throughput.
Antenna diversity technique can be chemically converted to two categories, namely transmitting and receiving diversity.
(1) Receive diversity
The use of multiple antennas in the receiver is called reception diversity, which is fairly easy to implement. Essentially multiple copies of the transmitted signal stream can be effectively combined with these copy signals with suitable signal processing techniques. As the number of antennas increases, the possibility of interruption is reduced to zero, and the effective channel approximates the additive Gaussian noise channel. Two most common reception diversity techniques are selected and optimal comparisons.
(2) Emission diversity
Multi-unit transmitter antenna arrays in emerging Wireless LAN networks, especially in an access point will play an increasingly important role. In fact, such arrays greatly improve performance when used with appropriately designed signal processing algorithms.
Fourth, conclude
WLAN technology is still in high-speed development and variation. It is currently used in 802.11lb products, inevitably evolved to 802.11a and 802.llg of transmission rates, especially 802.1lg, is likely to be mainstream. Operators and product manufacturers should seize rare opportunities and work together to shorten evolutionary processes. In terms of security, a product that has been used in large numbers of 802.1lb can be upgraded to WPA through software, and an access point (AP) device integrated into multiple functions is used to reduce the cost of use. Although secure encryption measures will inevitably have a certain impact on 802.11b performance, it is inconvenient to use, but this is the commercial network must do, because this is a long-term profit prerequisite. And gradually upgraded to the 802.11g device that can be compatible with 802.1lb devices, but in this mixed mode, different modulation modes are used due to 802.llb and 802.llg, there is a certain impact on the actual transmission efficiency. In addition, it is necessary to recognize the complexity of the design and implementation of the wireless local area network, attach importance to the survey and testing of the formal deployment, formulating practical networking schemes.
If the wireless LAN is a bird that wants to spread the wings, then at least it needs more solid powerful wings to achieve the dream of any place to interconnect with the world at any time.
